https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700641#M116014 <P>Thanks for your second attempt. I tried, but still no luck.</P><P>Might there be the possibility, that the "Add Data" WebUI Wizard does not support this correctly?</P> Tue, 01 Oct 2024 09:54:36 GMT jroedel 2024-10-01T09:54:36Z https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700629#M116007 <P>I have to parse the timestamp of JSON logs and I would like to include subsecond precision. My JSON-Events start like this:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{ "instant" : { "epochSecond" : 1727189281, "nanoOfSecond" : 202684061 }, ...</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thus I tried as config in props.conf:</P><P>&nbsp;</P><LI-CODE lang="markup">TIME_FORMAT=%s,\n "nanoOfSecond" : %9N TIME_PREFIX="epochSecond" :\s MAX_TIMESTAMP_LOOKAHEAD=500</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>That did unfortunately not work.</P><P>&nbsp;</P><P>What is the right way to parse this time stamp with subsecond precision?</P> Tue, 01 Oct 2024 09:38:44 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700629#M116007 jroedel 2024-10-01T09:38:44Z https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700635#M116011 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213890">@jroedel</a>&nbsp;,</P><P>are you sure about the number of spaces?</P><P>please try this:</P><LI-CODE lang="markup">TIME_FORMAT=%s,\n\s*"nanoOfSecond"\s*:\s*%9N TIME_PREFIX="epochSecond"\s*:\s* MAX_TIMESTAMP_LOOKAHEAD=500</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 01 Oct 2024 09:44:56 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700635#M116011 gcusello 2024-10-01T09:44:56Z https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700638#M116012 <P>I tried, but still no luck</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-10-01 at 11.46.03.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/32882iDF526E69B8CF1AC5/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2024-10-01 at 11.46.03.png" alt="Screenshot 2024-10-01 at 11.46.03.png" /></span></P><P> </P> Tue, 01 Oct 2024 09:47:18 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700638#M116012 jroedel 2024-10-01T09:47:18Z https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700639#M116013 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213890">@jroedel</a>&nbsp;,</P><P>please try this:</P><LI-CODE lang="markup">TIME_FORMAT=%s,\n\s*\"nanoOfSecond\"\s*:\s*%9N TIME_PREFIX=\"epochSecond\"\s*:\s* MAX_TIMESTAMP_LOOKAHEAD=500</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 01 Oct 2024 09:49:09 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700639#M116013 gcusello 2024-10-01T09:49:09Z https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700641#M116014 <P>Thanks for your second attempt. I tried, but still no luck.</P><P>Might there be the possibility, that the "Add Data" WebUI Wizard does not support this correctly?</P> Tue, 01 Oct 2024 09:54:36 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700641#M116014 jroedel 2024-10-01T09:54:36Z https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700644#M116015 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213890">@jroedel</a>&nbsp;,</P><P>if the Add Data feature doesn't permit to use this feature I suppose that it isn't possible event if it's strange.</P><P>I tried but I have the same result</P><P>Ciao.</P><P>Giuseppe</P> Tue, 01 Oct 2024 10:12:55 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700644#M116015 gcusello 2024-10-01T10:12:55Z https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700663#M116017 <P>Finally after a lot of testing I found a solution via <STRONG>transforms</STRONG>.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[timestamp-fix] INGEST_EVAL= _time=json_extract(_raw,"instant.epochSecond").".".json_extract(_raw,"instant.nanoOfSecond")</LI-CODE><P>&nbsp;</P><P>Furthermore, it turned out that regex is not allowed in TIME_FORMAT field in props.conf.</P> Tue, 01 Oct 2024 13:45:17 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700663#M116017 jroedel 2024-10-01T13:45:17Z https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700671#M116018 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213890">@jroedel</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 01 Oct 2024 14:07:18 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-Multi-Line-Timestamp/m-p/700671#M116018 gcusello 2024-10-01T14:07:18Z